Skip to main content
All Posts By

robintek

SAFETY TRAINING: ONE SIZE DOESN’T FIT ALL!

By Risk Management Bulletin

The wide variety in today’s workforce can present a challenge when it’s time for safety training. To do an effective job, take these factors into account:

  • Age. Younger workers might have trouble taking the safety aspect of their jobs seriously. Older workers might feel they already know it all and tune you out. Make it clear to trainees that this is important to all of them, perhaps using dramatic examples of safety failures involving different age groups.
  • English comprehension. Many people won’t admit they can’t read or understand English. Be alert to your workers’ ability — or inability — to understand written instructions and to comprehend English. A recent OSHA enforcement memorandum directed at protecting non-English speaking workers from workplace hazards requires compliance officers to verify that workers receive training in a language they understand. If you don’t speak the workers native language, you might want to involve an additional meeting leader who does.
  • Educational level. If your workers have a wide range of educational backgrounds, your task becomes more complicated. Use an approach that gets the message across to the less educated without being so simplistic that it turns off other workers. Consider using demonstration and practice rather than reading and lectures. – and employ words and concepts that all trainees can understand.
  • Experience with products, processes, and technology. If you’re training relatively inexperienced workers, take a step-by-step approach and limit each meeting to a narrow topic area. Otherwise, you’ll overload participants. Although experienced workers will more readily understand your references to equipment and procedures, because they’re also more likely to resist changes in the way they work, sell them on safety both in terms of their own health and regulatory requirements.
  • Tolerance for length and frequency of meetings. The length of your workers’ attention and concentration span will determine how often you can have safety meetings and how long they can last. The format is also a factor in determining meeting length. People can’t usually sit and concentrate as long for lectures as for videos or programs that involve them directly.
  • Extent of prior safety training. The more training workers have received, the easier each subsequent meeting becomes. Once workers understand certain safety basics and incorporate them into their jobs it becomes easier to add new cautions and procedures. Skip the preliminaries and some of the “safety sell” and get right to the specifics of your meeting.
  • Attitudes toward work and management. If some workers are hostile to you, the company, their jobs, and/or the meeting topic, safety meetings can be stressful. Face up to this problem at the beginning of the session by encouraging workers to express their feelings and ask them to try to keep an open mind. Stress the fact that safety training will benefit them by making accidents and injuries less likely.

RISK MANAGEMENT FOR DISASTERS: THE INSURANCE SOLUTION:

By Risk Management Bulletin

If disaster strikes, the extent of protection against the risks facing your business faces can make the difference between survival and extinction. Once you’ve identified the risks involved, you have three basic options: (1) Reduce or eliminate them (avoidance); (2) Accept them (acceptance); or (3) Limit the financial damage by assigning the risks to an insurance company (risk transfer – or insurance).

Unfortunately, risk management protection through insurance often fails to go beyond Commercial Liability and Property coverages. For example, Key Person Life policy(ies) on one or more key executives will reimburse your business against potential financial losses from their death. Business Interruption coverage can help keep you up and running after a disaster by covering payroll expenses and protecting against the loss of suppliers and buyers. You should also consider other types of business insurance to minimize the damage from a catastrophe.

In deciding on the policies that best fit your needs, ask yourself these questions:

  • Are your coverage limits and deductibles appropriate?
  • For what types of disasters (perils) do you have insurance? Which perils are specifically excluded?
  • Does your insurance provide enough protection to senior management against litigation from inadequate business continuity planning?
  • Does your coverage factor in inflation, improvements, and building code changes?
  • Do you have your coverage for “replacement cost” or “actual value” (cost less depreciation)?
  • Will your Business Interruption insurance pay loss of income and payroll expenses?
  • Is your documentation (serial number, date of purchase, cost, receipts, photographs, etc.) current and detailed enough for your insurance company?
  • Have you secured the originals of all policies in a fireproof cabinet, or off site, with copies readily available?
  • Do you have coverage for loss of power or other critical services?
  • What about coverage for a denial of access order issued by civil authorities?
  • Does your insurance cover losses from a disruption of transportation services?
  • If the Disaster Management Team makes a “disaster declaration,” will your insurance cover the costs charged by your alternate site vendor? What about the extra personnel and other costs associated with activating and operating the alternate site?
  • Do you carry enough Life insurance on key executives? If you implement an effective Business Continuation Plan will your insurance premiums go down? Have you reviewed your coverage with your professional insurance advisor within the past year?

The time to take action is now — before it’s too late. We’d be happy to help. Just give us a call.

UNDERSTANDING THE SPECIALTY DRUG TREND FORECAST AND WHY IT IS NEARLY DOUBLE THE RETAIL DRUG TREND

By Employment Resources

Although the pharmaceutical spending trend has declined in recent years, according to the Segal Company’s 2010 Health Plan Cost Trend Survey, the projected prescription drug trend is still 9.1% for the coming year, well above the country’s general inflation rate. This year’s figure is down significantly from the high of 19.7% reported in 2001.

Running counter to this trend is spending for so-called specialty drugs, which according to the same survey is expected to be nearly 18% for 2010 or double that of the general prescription drug trend. The biggest driver of the specialty drug trend is the growth in prescription drug use among children according to the 2010 Drug Trend report from Medco. This growth was almost four times greater than the increase of prescription drug use among the general population. During the past nine years, the spike in specialty drugs has been driven by the increased use of antipsychotic, diabetes, and asthma drugs among children. In 2009, researchers found that more than one in four insured children in the US, and almost 30% of adolescents took at least one prescription drug for a chronic condition.

Sadly, the obesity epidemic in the US is taking a toll, and no longer applies to adults only. Consequently, more 10- through 19-year-olds are developing diseases that used to be seen only in adults. Many of these diseases require ongoing, and expensive, drug therapy. Another large contributing factor for specialty drug use in children is the diagnosis of ADHD. About 13% of prescription drug benefits spent on children are for ADHD treatments. Furthermore, research is now showing that many children who begin drug therapy for ADHD continue the therapy through the ages of 20-34.

In addition to medications that treat mental illness, diabetes, and asthma in children, what are other specialty drugs and why do they come at such a cost? The term “specialty drugs” encompasses types of pharmaceuticals that might differ from other prescribed products in their development, in how they are administered to the patient, and in their storage and handling requirements. For example, some specialty drugs are biologics-genetically engineered drugs. Some require administration by injection or infusion, or administration only by a medical professional. Some have special storage, handling and distribution requirements, meaning that they may not be available through the local pharmacy.

Specialty drugs target complex and chronic conditions. Medical conditions for which specialty drug therapy currently is available include cancer, mental illness, human growth hormone disorders, hemophilia, psoriasis, multiple sclerosis, rheumatoid arthritis, immune disorders, infertility, Crohn’s disease, Parkinson’s disease, lupus, diabetes and HIV/AIDS.

Though expensive, a specialty drug — like any appropriately prescribed and properly managed pharmaceutical — ultimately can be a cost-effective part of a patient’s therapy if it aids in that patient’s recovery or prevents a condition from worsening, alleviates pain, or averts the kinds of medical costs and complications that can result from hospitalization and more intrusive interventions. However, because the cost of specialty drugs is so high, health plans and pharmacy benefit managers have implemented various controls to ensure that the outlays for these medications are well-spent and geared toward achieving the desired outcomes. Support services that commonly are seen in specialty drug management programs include injection training, extensive patient education, 24/7 dispensing services, patient monitoring to assure compliance, and automatic refill reminders.

Pharmaceutical market trends and the ongoing development of an increasing number of specialty drugs indicate that this area of pharmacy will grow, and with it the potential impact on an employer’s health care costs. Employers would be well advised to get a handle on how their employee population is utilizing these products, and how their health plan and/or pharmacy benefit manager (PBM) is managing the benefits. Areas to examine include plan design, the plan’s or PBM’s initiatives to secure discount pricing and dispensing fees, and how the plan or PBM ensures optimal patient compliance with their specialty drug regimen.

WHAT IS THE NEAR-TERM FINANCIAL IMPACT OF HEALTH CARE REFORM?

By Employment Resources

Employers are bracing for the financial impact of the new health care reform law, according to a survey from Mercer. A quarter of the nearly 800 employers surveyed said they expect compliance with the first round of mandates included in the law to add at least another 3% to their projected 2011 plan costs; 28% expect an additional increase of 1%-2%, and 13% project an additional increase of less than 1%.

Three of the “immediately” effective health care reform provisions — effective for plan years beginning after September 23, 2010 (January 1, 2011, for calendar year plans) — are discussed below. Given that these and other health care reform provisions include requirements for coverage expansion, for certain types of benefits and for restrictions on benefits limitations, concerns about cost increases are well-founded.

Three health care reform provisions that are likely to have some immediate financial impact on employers are:

1. Expansion of coverage to employees’ young adult children. The health care reform law requires that plans that provide coverage for dependent children now make that coverage available until a child turns age 26. (Until 2014, grandfathered plans can limit this coverage expansion to adult children not eligible for other employer-provided coverage.) In the Mercer survey, 20% of employers said this provision of health care reform was a significant or very significant concern to them. The impact of this coverage expansion will vary, of course, depending in large part on an employer’s demographics — and for some employers, adding a group of young, healthy individuals could possibly help their plan cost. To moderate the impact of this piece of health care reform, employers should take steps to ensure that only truly eligible dependents are on the plan, by conducting dependent audits. As indicated by the Mercer survey, other steps employers said they are considering to blunt the impact of this mandate include requiring proof that dependents do not have coverage available through their own employers (49%); adding contribution tiers based on the number of dependents covered (20%); and imposing higher premium shares for all dependents (16%).

2. Elimination of lifetime limits on benefits. The law prohibits lifetime dollar limits on “essential” health benefits. And this list is long, encompassing most of the types of benefits found in the typical health care plan (e.g., ambulatory patient services, emergency services, hospitalization, maternity/newborn care, mental health and substance abuse benefits, prescription drugs, etc.). (This provision phases in to apply to annual limits, which are banned after 2013.) In the Mercer survey, 21% of employers said this provision was a significant or very significant concern.

3. Preventive care benefits. Plans must cover certain preventive care services without any cost-sharing (deductibles, copayments) required for the employee or dependent receiving the service. Many plans, in particular consumer-directed health plans, already provide full coverage for certain types of preventive care, as a strategy to enable the detection and treatment of illness or disease in the early stages, and as a means to alert employees to lifestyle issues that might be harming their health. Whether this provision “costs” all employers is yet to be seen; some research shows that preventive services, especially when part of a comprehensive health promotion and wellness strategy, generate a return on the investment that an employer makes in the program.

Noncompliance with these or other provisions in the health care reform law also has a cost for employers, in the form of excise taxes and penalties. Therefore, it’s essential to review the pending mandates, not only to ensure compliance, but also to determine how to fold them into an effective and comprehensive health care cost management strategy.

UNDERSTANDING THE PATIENT PROTECTION AND AFFORDABLE CARE ACT: HOW TO MAINTAIN OR LOSE GRANDFATHERED STATUS

By Employment Resources

The Patient Protection and Affordable Care Act enacted a package of Health insurance reforms for group health plans, including benefit mandates and Health insurance market reforms. “Grandfathered plans,” plans in effect on March 23, 2010 (the date of enactment), are exempt from certain but not all of the law’s provisions.

The Internal Revenue Service, Department of Labor’s Employee Benefits Security Administration and Department of Health and Human Services have jointly issued an interim final rule regarding grandfathered plans, in particular, what changes to grandfathered plans will and will not affect a plan’s status.

Among the Act’s provisions that do not apply to grandfathered plans are the following:

  • The requirement that preventive care services, including immunizations and screenings, are covered with no cost-sharing for plan participants.
  • Requirements under Sec. 105(h) of the Internal Revenue Code that plan provisions do not discriminate in favor of highly compensated employees.
  • Maintenance of claims and appeals processes that include external review.
  • Certain benefits requirements involving provider choice, emergency services and clinical trials.

According to the interim final rule, if a grandfathered plan does any of the following, it will lose its grandfathered status:

  • Eliminate all or substantially all benefits to diagnose or treat a particular condition. This includes the elimination of an element necessary to treat the condition (for example, if a plan provides counseling and prescription drugs for a mental health condition, and eliminates the counseling benefit while maintaining the prescription drug benefit, it will be considered to have eliminated substantially all benefits for the condition and lose its grandfathered status).
  • Increase coinsurance rates, to any extent at all, for plan participants.
  • Increase participant copayment levels by more than the greater of $5 (adjusted annually for inflation) or a percentage equal to medical inflation plus 15 percentage points.
  • Increase a fixed-dollar cost-sharing requirement other than a copayment-such as a deductible-by more than medical inflation plus 15 percentage points.
  • Lower employer cost-sharing by more than five percentage points (for example, decreasing employer cost-sharing while increasing the percentage of employee cost-sharing from 10% to 20%).
  • Add or tighten limits on what an insurer pays (for example, capping or lowering the annual dollar amount covered by a plan for specific services or adding an annual dollar limit maximum where one did not exist on March 23, 2010).
  • Change insurance carriers or purchase a product from a new insurance carrier.

Plan changes such as premium increases and changes in third-party administrators will not cause a plan to lose its grandfathered status. The interim final rule includes special provisions for insured collectively bargained plans. If the collective bargaining agreement was ratified before March 23, 2010, a fully insured plan will be considered grandfathered until the date on which the last agreement relating to the coverage in effect on that date is terminated. Self-insured collectively bargained plans are subject to the same rules as grandfathered plans that are not under a collective bargaining agreement.

As noted above, although grandfathered plans are not subject to some of the Act’s provisions, they are subject to others, such as the prohibition on lifetime limits on the dollar value of benefits and the prohibition on coverage rescissions, except in cases of fraud or an intentional misrepresentation of a material fact by an enrollee. A grandfathered plan also is required to disclose to plan participants that, as a grandfathered plan, it may not include certain elements of the consumer protections provided for under the Act.

Although grandfathered status can offer significant advantages, especially in regard to avoidance of some of the Act’s benefits mandates, employers will need to assess how these balance against the need or desire to modify plan provisions or change carriers in response to rising plan costs and rates.

SUCCESSFUL SAFETY TRAINING FOR A DIVERSE WORKFORCE

By Risk Management Bulletin

When it comes time for safety training, differences among employees in your workforce can present a challenge. To ensure effective training, you need to take these factors into account.

  • Age. Younger workers might have trouble taking their jobs, including the safety aspects, seriously. Older workers, on the other hand, might feel they already know it all and tune you out. Include ways to make it clear to trainees that this is important to all of them,
  • Ability to read and understand English. Many people won’t admit they can’t read or understand English. Be alert to your workers’ ability – or inability – to understand written instructions and to comprehend English. Don’t embarrass them; just make sure that you’re presenting information in a way they can grasp. It might help to involve an additional meeting leader who speaks the workers’ native language.
  • Educational level. If your group includes workers with a wide range of educational backgrounds, you need to come up with an approach that gets the message across to the less educated without being so simplistic that it turns off other workers. You might need to use more demonstration and practice than reading and lectures.
  • Experience with products, processes, and technology. If workers are relatively inexperienced, take a slow, step-by-step approach and limit each safety meeting to a narrow topic. Experienced workers will more readily understand your references to equipment and procedures, allowing you to focus more on the safety aspects and tie them together. However, they’ll also be more likely to resist changes in the way they do their jobs.
  • Tolerance for length and frequency of meetings. How long an attention span do your workers have? How long can they sit still and concentrate? How much can they absorb at once? You’ll have to answer these questions to determine how often you can have safety meetings and how long they can last. The meeting format is also a factor in determining meeting length.
  • Extent of prior safety training. The more training workers have received, the easier each subsequent meeting becomes. Once workers understand certain safety basics and incorporate them into their jobs and work styles you can get right to the specifics of your meeting.
  • Attitudes toward work and management. If you have some workers who are hostile to you, the company, their jobs, and/or the topic, safety meetings can be stressful. Allow these workers to express their feelings and ask them to try to keep an open mind. Emphasize that their safety is important to you and that these programs will benefit them by making accidents and injuries less likely. It also doesn’t hurt to point out that the same regulations that require companies to provide safety training also require employees to practice the safety methods and practices they’ve been taught on the job.

PERSONAL PROTECTIVE EQUIPMENT: FIVE STEPS TO PROTECTION

By Risk Management Bulletin

In the eyes of many people, personal protective equipment (PPE) is workplace safety. A hard hat, steel-toed shoes, and goggles are the most visible symbols of protection. However, these items form only part of a bigger picture.

OSHA’s PPE standards in 29 CFR, 1910.132-138 include general requirements, as well as the rules covering eye and face, respiratory, head, foot, and hand protection. You’ll also find PPE regulations in material safety data sheets, owner/operator manuals, and instructions for specific types of protective gear. Bear in mind that, as much as OSHA stresses the need for PPE, the agency considers it as only the third tier of protection, behind engineering and administrative controls — in other words, a “last resort.”

To help employers assess hazards and select the best protection, we’d recommend taking these steps:

  1. Start with a walk-through survey of the area or job. The idea is to identify sources of hazards in categories including impact, penetration, rollover, chemical heat, harmful dust, and optical radiation.
  2. Consider the sources. During the walk-through, look for hazard sources, including any machinery or processes in which movement of tools, elements, or particles could occur, or where people could collide with stationary objects. Your review should also seek sources of high temperatures, sharp objects, rolling or pinching objects, and electrical hazards, together with a survey the layout of the work areas.
  3. Analyze the data. Evaluate the findings from your walk-through and estimate the potential for injuries. Review each basic hazard in light of the type and level of risk, and the seriousness of a potential injury.
  4. Select the protection. OSHA recommends PPE selection procedures that compare the hazards associated with the environment against the capabilities of available PPE. Make sure that equipment ensure a level of protection greater than the minimum required. Users should be fit, instructed on care and use of the PPE, and made aware of warning labels and limitations.
  5. Put it in writing. Describe PPE in a written policy signed by upper management and reviewed periodically. At a minimum, your policy should require personnel to wear, care for and store appropriate PPE provided by the employer; set out relevant PPT duties for supervisors; explain the hazard assessment process; and give the location of the original signed forms.

VIOLENCE ON THE JOB: REDUCE YOUR RISK

By Risk Management Bulletin

On August 3, 2010, Omar Thornton, a driver for a Connecticut beer distributor, killed eight fellow workers, with no warning, before committing suicide. “Ten seconds before [Thornton] started shooting, if you had asked me, does he look like he’s going to react in any way? I would have said ‘no, he seems calm,’” said, a company vice president wounded by the gunman.

Criminologists call this a classic example of “murder by proxy” — rampages by employees who attack the co-workers, supervisors, and bosses who they blame for their outrage. The message is: “Look who’s doing the firing now.”

According to federal statistics, co-workers or former co-workers kill an average of 63 people per year in U.S. workplaces. These eruptions of violence rarely come with a warning, making them hard to stop.

To reduce the risk of on-the-job attacks, especially in cases where employees are about to be terminated, we’d recommend that companies of all sizes implement a violence protection plan that includes these steps:

  • Plan meetings to fire employees carefully, taking into account the location and the number of people present. If there’s any potential for violence (for example if the employee has a violent past), do the interview off site, have the worker escorted to and from the room, and evaluate the need for having a security guard or an off-duty police officer present.
  • In extreme cases, consider using such security measures as body searches or metal detectors; however, bear in mind that these steps can backfire by inflaming the situation.
  • Avoid angering the employee unnecessarily. Choose your words carefully to convey empathy, not sympathy, and acknowledge that the worker is highly stressed.
  • Train your employees to recognize such signs of potential violence in co-workers as verbal threats, temper tantrums, or a display of weapons in the workplace.

However, regardless of warning signs and security measures, experts say there’s little that managers can do to stop a determined gunman. “The only way to guarantee you never become a victim of a workplace shooting is to be self employed,” notes Jim Francis of T&M Protection Resources, a New York-based security firm.

SECOND OPINIONS UNDER THE ADA

By Your Employee Matters

Last month one of our Members had to deal with a request for disability accommodation/leave that seemed contrived by the employee as a way to protect her job. The question was whether the company could send the employee for a second opinion from a doctor of their choice. Here is the response from Linda Batiste, counsel for JAN:

“In general, you can ask for a second opinion if you have insufficient information in the first opinion you received. For example, if an employee indicated she needs a certain accommodation, but the statement by the employee’s doctor does not provide you with all the information you need to justify the accommodation, you can require a second opinion.

“The following is from Disability-Related Inquiries and Medical Examinations of Employees under the ADA.

“May an employer require an employee to go to a health care professional of the employer’s (rather than the employee’s) choice when the employee requests a reasonable accommodation?

“The ADA does not prevent an employer from requiring an employee to go to an appropriate health care professional of the employer’s choice if the employee provides insufficient documentation from his/her treating physician (or other health care professional) to substantiate that s/he has an ADA disability and needs a reasonable accommodation. (55) However, if an employee provides insufficient documentation in response to the employer’s initial request, the employer should explain why the documentation is insufficient and allow the employee an opportunity to provide the missing information in a timely manner.(56) The employer also should consider consulting with the employee’s doctor (with the employee’s consent) before requiring the employee to go to a health care professional of its choice.(57)

“Documentation is insufficient if it does not specify the existence of an ADA disability and explain the need for reasonable accommodation.(58) Documentation also might be insufficient where, for example: (1) the health care professional does not have the expertise to give an opinion about the employee’s medical condition and the limitations imposed by it; (2) the information does not specify the functional limitations due to the disability; or, (3) other factors indicate that the information provided is not credible or is fraudulent. If an employee provides insufficient documentation, an employer does not have to provide reasonable accommodation until sufficient documentation is provided.

“Any medical examination conducted by the employer’s health care professional must be job related and consistent with business necessity. This means that the examination must be limited to determining the existence of an ADA disability and the functional limitations that require reasonable accommodation. If an employer requires an employee to go to a health care professional of the employer’s choice, the employer must pay all costs associated with the visit(s).(59)

“The Commission has previously stated that when an employee provides sufficient evidence of the existence of a disability and the need for reasonable accommodation, continued efforts by the employer to require that the individual provide more documentation and/or submit to a medical examination could be considered retaliation.(60) “However, an employer that requests additional information or requires a medical examination based on a good faith belief that the documentation the employee submitted is insufficient would not be liable for retaliation.

“May an employer require that an employee, who it reasonably believes will pose a direct threat, be examined by an appropriate health care professional of the employer’s choice?

“Yes. The determination that an employee poses a direct threat must be based on an individualized assessment of the employee’s present ability to safely perform the essential functions of the job. This assessment must be based on a reasonable medical judgment that relies on the most current medical knowledge and/or best objective evidence.(61) To meet this burden, an employer might want to have the employee examined by a health care professional of its choice who has expertise in the employee’s specific condition and can provide medical information that allows the employer to determine the effects of the condition on the employee’s ability to perform his/her job. Any medical examination, however, must be limited to determining whether the employee can perform his/her job without posing a direct threat, with or without reasonable accommodation. An employer also must pay all costs associated with the employee’s visit(s) to its health care professional.(62)

“An employer should be cautious about relying solely on the opinion of its own health care professional that an employee poses a direct threat where that opinion is contradicted by documentation from the employee’s own treating physician, who is knowledgeable about the employee’s medical condition and job functions, and/or other objective evidence. In evaluating conflicting medical information, the employer may find it helpful to consider: (1) the area of expertise of each medical professional who has provided information; (2) the kind of information each person providing documentation has about the job’s essential functions and the work environment in which they are performed; (3) whether a particular opinion is based on speculation or on current, objectively verifiable information about the risks associated with a particular condition; and, (4) whether the medical opinion is contradicted by information known to or observed by the employer (e.g., information about the employee’s actual experience in the job in question or in previous similar jobs).

CYBER LIABILITY 101

By Your Employee Matters

What is Cyber Liability?

In 1992, when I started our company and bought my first computer (a Gateway 33 mhz.), you couldn’t buy a “Cyber Liability” policy. Few people knew what a “website” was, and “security breaches” created images of Mission Impossible.

Flash forward to 2010 and issues arising out of data security, management of confidential information, and infringement of intellectual property rights are all considered major exposures. In today’s interconnected cyberworld, the potential for catastrophic loss has escalated dramatically. Although the early “hackers” seemed to be challenging themselves intellectually to see what type of mischief they could cause, today’s cyberthieves have serious criminal intent in mind. Terrorists, organized crime, and random computer geeks working alone are making cyber crime a growth industry. According to Privacy Rights Clearinghouse, more than 263 million data records of U.S. residents have suffered breaches since 2005.

Risk Analysis

Step one in the Cavignac & Associates Risk Management Process is “risk analysis: Identifying assets or circumstances which could lead to a loss.” This process, also known as “exposure analysis,” defines the assets or circumstances as “loss exposures.” Potential exposures include the loss of your company’s data and the cost of restoring it, defending against or settling a third party claim, cyber extortion, damage to reputation, notifying individuals whose personal information might have been compromised, and paying for credit monitoring of individuals (if required by law). Nearly every state now requires businesses that have compromised an individuals’ information to notify this individual. One study of larger companies estimated the cost of a data breach at $204 per compromised record. The same study calculated the average cost of a single data breach at $6.75 million!

Risk Control

Once you’ve defined your exposures, you need to determine how you can manage them. In other words, what can you do to lower the likelihood of a cyber liability claim or the severity of a claim if one occurs? A number of companies focus on helping businesses manage and protect both their own data and the data of their customers. The key is to centralize IT management and develop enforceable policies and procedures across your network. Check the implementation of these policies and procedures periodically. After a suspected or actual breach, take action as soon as possible. If necessary, call the appropriate IT security specialist companies.

Is This Risk Insurable?

As cyber liability exposures have evolved, so has insurance coverage. Although the Insurance Services Office (ISO) created a “standard” policy in November of 2009, most policies today are unique to the company offering the coverage. This means that you’ll need to evaluate the policy to make certain it addresses your potential exposures. These policies include both first party and third-party coverages. First-party coverage pays you for the costs of repairing or replacing damage caused by a covered peril; third party coverage includes the cost of defending and settling third-party claims, including regulatory actions.

Cyber Liability policies usually include some or all of these coverages:

  • Website Publishing Liability – Nearly everyone has a website these days. This coverage protects you from liability-based information posted on your website, which might include actual or alleged misstatements; infringement of another’s copyright; trademark, etc., or violation of a person’s right to privacy.
  • Security Breach Liability – Covers your liability from a security breach or transmission of a computer virus to a third party. A security breach occurs if an unauthorized person accesses the personal information of another, or if someone authorized to access such information uses it inappropriately.
  • Programming Errors and Omissions Liability – Protects against your legal liability from actual or alleged programming errors that lead to disclosing a client’s personal information
  • Replacement or Restoration of Electronic Data – This first-party coverage repays you for replacing or restoring data or programs damaged or destroyed as a direct result of a computer virus or similar bug.
  • Extortion Threats – Reimburses you for extortion expenses and ransom payments resulting directly from an extortion threat. These threats usually involved on introducing a virus, malicious code, or publishing clients’ personal information.
  • Business Income and Extra Expense – Covers loss of business income and extraordinary operating expenses due to a cyber incident or extortion threat.
  • Public Relations Expense – Cyber liability incidents can create bad press. This covers the costs of a public relations firm to help you protect or restore your reputation after such an incident.
  • Security Breach Expense – Covers the often significant expenses of notifying others that their personal information has been compromised These costs include overtime salaries for employees dealing with the issue, fees and costs of a company hired to operate a call center, post-event credit monitoring services, and other reasonable expenses.

The Cost

Cost can vary dramatically, depending on the type of business, type and volume of information on file, and other factors. Because Cyber Liability insurance is a relatively new coverage, there’s not a large enough database to calculate rates. Most companies are basing their prices based on what they believe the exposure to be and what they think they can charge. Annual premiums for smaller firms (with fewer than 50 employees) will probably range from $1,000 to $10,000. Larger firms might expect to pay $15,000 to $25,000.

Best Practices

Every firm, regardless of size, should evaluate its exposure to this type of loss and determine what steps they can take to manage this type of potential claim. Finally, you should obtain a quotation for coverage. Even if you don’t buy the coverage, you should know the cost and make the conscious decision not to buy it as opposed to assuming you don’t want to afford it.

Managing a Security Breach

If you become aware of an actual or potential security breach, investigate it immediately! If personal information has been compromised, at a minimum, you should take these steps:

  • Depending on the circumstances, contact local law enforcement, and if appropriate the FBI and possibly the U.S. Postal Inspection Service (if the fraud involves mail theft).
  • Notify any businesses that the breach might affect.
  • Notify any individuals whose personal information might have been compromised. Designate a contact person to coordinate the notification process.
  • If the incident involves Social Security numbers, credit card information, or other sensitive personal information, contact the major credit bureaus.
  • Remove any inappropriately posted information on your website immediately.
  • Consult with counsel to make certain you’re complying with any applicable laws, specifically those pertaining to notification and credit monitoring.
  • Notify your insurance advisor to determine if insurance might apply to the incident.
  • If necessary, consider contacting your public relations consultant to help manage the process and protect your firm’s reputation.

Article Courtesy of Jeffrey Cavignac of Cavignac and Associates (www.cavignac.com). Jeff is a long-time HR That Works and Sitkins International member located in beautiful downtown San Diego.